4 steps to the UK's Cyber Essentials certification

Cyber Essentials certification can help defend against cyberattacks and secure new business. Experts share advice on how to achieve Cyber Essentials accreditation for UK companies.

Check mark certificate in a binary tunnel / standards / quality control / certification / certifi
Tampatra / Getty Images

Cyber Essentials is a UK government scheme that certifies organisations against cybersecurity standards. Launched in 2014, it offers two certification types: basic Cyber Essentials and Cyber Essentials Plus. Both have a set of cybersecurity requirements that organisations must meet to achieve accredited status.

Here are insights on the key aspects of Cyber Essentials accreditation in 2021 from the National Cyber Security Centre (NCSC), UK organisations that have recently embarked on the process, and those that specialise in supporting companies to achieve certification.

Benefits of Cyber Essentials certification

According to the NCSC, Cyber Essentials certification gives businesses confidence that their security will protect them against most common cyber risks due to the technical controls required. “Cyber Essentials shows you how to address those basics and prevent the most common attacks,” NCSC explains, whilst Cyber Essentials Plus includes the addition of hands-on technical verification.

In addition, that accreditation grants organisations a clear picture of their cybersecurity level, assures customers they are focused on preventing cyberattacks, and helps attract new business with Cyber Essentials certification becoming a common prerequisite for contracts that involve interaction with government departments.

The latter is a growing trend, and something that Richard Andreae, a Cyber Essentials certification provider who works with organisations to support them in achieving accreditation, says is one of the chief benefits of Cyber Essentials status in 2021. “Most/all government tenders now require your organisation to have Cyber Essentials certification at the very least,” he says.

This was the case for UK charity Sustrans, which pursued Cyber Essentials accreditation this year in relation to its work with public sector tendering. Lyndsey Melling, IT and systems project manager, tells CSO: “We needed to gain Cyber Essentials accreditation in just three months, or risk missing out on a major, multi-year program of work. Complying with the requirements of Cyber Essentials was absolutely essential to winning this major contract.”

The hard work paid off, she adds, and has resulted in Sustrans passing the requirements and being able to work with national and local governments. “This will be a multi-year series of activities that will use our experience and advocacy knowledge to its best effect, as well as supporting our ongoing remit.”

Cloud workforce management startup Gig Grafter is another UK company that recently embarked on the Cyber Essentials process, achieving both the standard and Plus accreditation. Its co-founder and director Barry Lynch says the company did so for the opportunity to attest to the security of both its organisation and client applications. This helps Gig Grafter better secure its clients, supplier, and staff data, making a clear statement that security is top of mind across the organisation, giving comfort to stakeholders.

“Whilst our target market is largely SMEs, by building a strong security posture at this early stage of business, we feel this will stand us in good stead when we come to market our product to larger organisations over the medium- to long-term,” Lynch says.

Cyber Essentials will also benefit organisations when it comes to cyber insurance, adds Andreae. “If you implement Cyber Essentials, most insurers will offer you a better policy giving improved cover in the event of any cyber related claims.”

Achieving Cyber Essentials certification

Each organisation’s journey to Cyber Essentials accreditation is unique and dependant on several factors including sector, stature, and risk appetite. However, respondents cite the below steps as universally useful and beneficial for companies seeking Cyber Essentials certification.

1. Commit to timely security and vulnerability management

“As an organisation, you must be committed to taking the steps necessary to secure all aspects of the organisation and systems within your scope,” says Lynch.

One of the biggest challenges facing businesses when implementing Cyber Essentials is around patch management, adds Andreae. “This is the most overlooked control and the most common failure on Cyber Essentials Plus audits. The requirement is to patch all operating systems and applications within 14 days of a fix being issued.”

To address this, Melling says Sustrans moved to a more automated process around its assets. “We knew that our existing, manual approach to vulnerability management would be unable to meet Cyber Essentials requirements, so we decided to look for a new solution.”

2. Involve the board

Having the board involved is key to the successful implementation of Cyber Essentials, says Andreae. “The scheme is based on a top-down approach with the board signing off the assessment submission. Some businesses just want the certificate and don’t necessarily want to put in the effort to achieve this, which is dangerous, and could leave your organisation vulnerable if the steps to securing the business have not been fully implemented.”

3. Consider third-party support

Whilst basic Cyber Essentials is self-certified, having a tried and trusted security partner that can guide you through the process can prove hugely beneficial, especially if you are contemplating the Plus certification, which requires further third-party scrutiny and testing, Lynch says.

4. Allocate adequate time and resource

Achieving Cyber Essentials certification requires time and effort, Lynch says. As a startup with many competing pressures, this was particularly challenging for Gig Grafter. “Carving out time was a huge hurdle, but being committed to the longer-term benefits helped enable us to free up that time with the support of all stakeholders,” he says.

Copyright © 2021 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline